Form of Business Associate Agreement

EX-10.6 19 ex10-6.htm

 

Exhibit 10.6

 

Kindly MD Inc.

 

BUSINESS ASSOCIATE AGREEMENT

 

This Business Associate agreement (BAA ) is made and entered into as of ____________, (“Effective Date”), by and between Kindly MD Inc. (the “Covered Entity”) and ______________, (the “Business Associate”) (each a “Party” and collectively the “Parties”).

 

Whereas, Covered Entity and Business Associate have entered into one or more agreements (collectively, “Agreement”) under which Business Associate provides certain specified services to Covered Entity (“Services”); and

 

Whereas, in providing services pursuant to the agreement, Business Associate will have access to protected health information (PHI) (as defined below);

 

Whereas, the Services provided by Business Associate to Covered Entity cause Business Associate to be considered a ‘business associate’ under the regulations implementing the Health Insurance Portability and Accountability Act of 1996 and as amended pursuant to the HITECH act; and

 

Whereas, Covered Entity and Business Associates desire to modify the Agreement to include certain provisions required by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule (collectively, “HIPAA”).

 

NOW, THEREFORE, in consideration of the mutual covenants and conditions contained in this BAA and the continued provisions of Phi by Covered Entity to Business Associate under the agreement in reliance on this be a, the parties agree as follows:

 

1. DEFINITIONS

 

For purposes of this BAA, the terms below shall have the meanings given to them in this Section or as otherwise defined in this BAA. Capitalized terms used, but not otherwise defined, herein shall have the same meaning as such terms are defined in HIPAA.

 

1.1Designated Record Set” shall mean a group of Records maintained by or for the Covered Entity that:

 

1.1.1consists of medical records and billing records about Individuals maintained by or for the Covered Entity;
1.1.2consists of the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
1.1.3consists of Records used, in whole or part, by or for the Covered Entity to make decisions about individual patients.
1.1.4as used in this Agreement, the term “Record” shall mean any item, collection or a grouping of information that includes PHI and is maintained, collected, used or disseminated by or for the Covered Entity. This term “Designated Record Set” shall not include:

 

 

 

 

1.1.5any information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, including but not limited to, any information subject to the attorney-client privilege, trial preparation immunity, attorney work product, peer review privilege or other privilege under applicable law;
1.1.6Any information in the possession of Business Associate that is the same as information in the possession of Covered Entity; or
1.1.7any information that constitutes ‘psychotherapy notes’ as defined in 45 C.F.R § 164.501.

 

1.2. “De-Identify” shall mean to alter the PHI such that the resulting information meets the requirements described in 45 C.F.R. This is such a pain in the C.F.R. § 164.514(a) and (b).

 

1.3. “Electronic PHI” shall mean any PHI (as defined below) maintained in or transmitted by electronic media as defined in 45 C.F.R. § 160.103.

 

1.4. “HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.

 

1.5. “Individual” shall have the same meaning as the term ‘individual’ in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative accordance with 45 C.F.R. § 164.502(g).

 

1.6. “Privacy Rule” shall mean the portion of HIPAA set forth in 45 C.F.R. Part 160 and in Subparts A and E of 45 C.F.R. Part 164.

 

1.7. “Protected Health Information” (PHI) shall have the same meaning as such term is defined in 45 C.F.R. 160.103, but limited to such information created, received or maintained by Business Associate to provide Services for or on behalf of Covered Entity.

 

1.8.  “Security Rule” shall mean that portion of HIPAA set forth in 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and C which sets standards for the protection of Electronic PHI.

 

1.9.  “Services” means the services provided by Business Associate under the Agreement.

 

1.10. “Unsecured PHI” shall mean any PHI (as defined above) that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued pursuant to Section 13402 (h) (42 U.S.C. § 17932(h)) of the HITECH Act.

 

2. USE AND DISCLOSURE OF PHI

 

2.1. Business Associate may use and disclose PHI in order to provide its Services, and to undertake other activities of Business Associate permitted or required by this BAA, the Agreement or as permitted or required by law.

 

2.2. Business Associate may use PHI for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration or to carry out its legal responsibilities, provided that: (i) The disclosures are Required By Law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from the third party that the PHI will be held confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the third party; and (b) and the third party agrees to notify Business Associate of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.

 

 

 

 

2.3. Business Associate may also use and disclose PHI: (i) to report violations of law to federal and state authorities consistent with 45 C.F.R.§ 164.502(j)(1); (ii) to De-identify it in accordance with 45 C.F.R § 164.514, and use such de-identified data for benchmarking and analyses and improve the services provided to Covered Entity and other clients; and (iii) pursuant to an authorization that complies with 45 C.F.R 164.508 and as permitted by 45 C.F.R 164.506(c) provided that OBH shall not solicit such authorizations or initiate such disclosures for its own commercial purposes, and (iv) as otherwise authorized in writing by Covered Entity.

 

2.4.  Business Associate shall not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the HIPAA Privacy Rule, or as required by law. Business Associate Shall use or disclose PHI, in accordance with the minimum necessary standard in 45 C.F.R. 164.502 (b). To the extent Business Associate is required herein to carry any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in performance of such obligations.

 

2.5. In the event Business Associate receives a subpoena, court or administrative order or any other discovery request or mandate for release of PHI that specifically names Covered Entity as the subject of the inquiry, Business Associate shall, to the extent permitted by law, notify Covered Entity in writing prior to responding to such request to enable Covered Entity to object.

 

3. SAFEGUARDS AGAINST MISUSE OF PHI

 

3.1. Business Associate Shall use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the agreement or this BAA; and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, including complying with applicable agreements of 45 C.F.R. Part 164 Subpart C with regard to Electronic PHI.

 

4. REPORTING SECURITY INCIDENTS AND BREACHES OF UNSECURED PHI

 

4.1. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including Breaches of Unsecured PHI, as required by 45 C.F.R. Part 164.410, and any Security Incident of which it becomes aware. In the case of any such use or disclosure that constitutes a Breach of Unsecured PHI, such notification shall be made without unreasonable delay but in no event later than ten (10) business days after Business Associate becomes aware thereof. Notwithstanding the foregoing, the Parties agree that this paragraph satisfies any reporting required by Business Associate of attempted but Unsuccessful Security Incidents (as defined below) from which no additional report shall be required. For the purposes of this BAA, “Unsuccessful Security Incidents” include but are not limited to activities such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful logon attempts, denial of service and any other activities that do not result in unauthorized access, use or disclosure of Electronic PHI.

 

 

 

 

5. MITIGATION OF DISCLOSURES OF PHI

 

5.1. Business Associate shall take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA. Covered Entity shall have sole control over the determination of whether Breach notification is required, and the timing and method of providing notification of such Breach to the affected individual(s) the Secretary and, if applicable, the media. Business Associate shall investigate any use or disclosure of PHI by Business Associate and by olation of the requirements of this BAA and, in the case of a breach, promptly update Covered Entity of any additional material facts uncovered by such investigation, and provide reasonable assistance to Covered Entity in drafting notifications to affected individuals.

 

6. AGREEMENTS WITH SUBCONTRACTORS

 

6.1. Business Associate shall ensure that any of its subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate, agree in writing to substantially the same restrictions and conditions concerning uses and disclosures of PHI as contained in this Agreement, including agreeing to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate.

 

7. ACCESS TO PHI BY INDIVIDUALS

 

7.1. Upon Covered Entity’s written request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set within ten (10) business days of receipt of Covered Entity’s request to enable Covered Entity to respond to an Individual’s request for access to PHI under 45 C.F.R. § 164.524.

 

7.2. In the event any Individual makes a written request for access to the Individual’s PHI directly to Business Associate, Business Associate shall forward that request to Covered Entity within ten (10) business days of receipt thereof by Business Associate’s Privacy Office or, at Business Associate’s election, Business Associate may instead respond directly to the request in accordance with 45 C.F.R. § 164.524. For requests forwarded to Covered Entity, any decision to provide access or not to provide access to PHI as requested by an Individual and compliance with the requirements of 45 C.F.R. § 164.524 shall be the sole responsibility of the Covered Entity.

 

8. AMENDMENT OF PHI

 

8.1. Upon Covered Entity’s written request, Business Associate shall amend PHI about an Individual in a Designated Record Set that is maintained by Business Associate as required by 45 C.F.R. § 164.526. Any request by Covered Entity to amend the information shall be completed by Business Associate and accordance with 45 C.F.R. § 164.526 within ten (10) business days of receipt of Covered Entity’s request.

 

 

 

 

8.2. In the event any Individual makes a written request for amendment of the Individual’s PHI directly to Business Associate, Business Associate shall forward the request to Covered Entity within ten (10) business days of receipt thereof by Business Associate’s Privacy Office or, at Business Associate’s election, Business Associate may instead respond directly to the request in accordance with 45 C.F.R. § 164.526. For requests forwarded to Covered Entity, any amendment or decision not to amend the PHI as requested by an Individual and compliance with the requirements of 45 C.F.R. § 164.526 shall be the sole responsibility of the Covered Entity.

 

9. ACCOUNTING OF DISCLOSURES

 

9.1.  Business Associate shall document such disclosures of PHI made by it as required by 45 C.F.R. § 164.528. Business Associate also shall make available information related to the disclosures as would be required for Covered Entity to respond to a request for an accounting of the disclosures in accordance with 45 C.F.R. § 164.528. Business Associate shall furnish Covered Entity with the information required by 45 C.F.R. § 164.528 or the following with respect to any accountable disclosures by Business Associate:

 

9.1.1. the date of disclosure of PHI;

 

9.1.2. the name of the entity or person who received PHI, and, if known, the address of the entity or person;

 

9.1.3. a brief description of the PHI disclosed; and

 

9.1.4. a brief statement of the purpose of the disclosure which includes the basis for the disclosure.

 

9.2. Business Associate hereby agrees to implement an appropriate record keeping system to enable it to comply with the requirements of this Section.

 

9.3. Business Associate shall furnish to Covered Entity information collected in accordance with this Section, within ten (10) business days after receipt of a written request by the Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 C.F.R. § 164.528.

 

9.4. In the event any Individual makes a written request for accounting of the Individual’s PHI directly to Business Associate, Business Associate shall forward the request to Covered Entity within ten (10) business days of receipt thereof by Business Associate’s Privacy Office or, at Business Associate’s election, Business Associate may instead respond directly to the request in accordance with 45 C.F.R. § 164.528. For requests forwarded to Covered Entity, any decision provide or not to provide the PHI as requested by an Individual and compliance with the requirements of 45 C.F.R. § 164.528 shall be the sole responsibility of the Covered Entity.

 

10. AVAILABILITY OF BOOKS AND RECORDS

 

10.1. Business Associate shall make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request to the Secretary for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, and this BAA.

 

 

 

 

11. OBLIGATIONS OF COVERED ENTITY

 

11.1.  Covered Entity shall provide Business Associate with a current copy of and notify Business Associate of any changes to the limitation(s) in its Notice of Privacy Practices issued pursuant to 45 C.F.R. § 164.520, to the extent that the limitation(s) may affect Business Associate’s use or disclosure of PHI.

 

11.2.  Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that the restriction may affect Business Associate’s use or disclosure of PHI.

 

11.3. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI to the extent that the changes may affect Business Associate’s use or disclosure of PHI. Covered Entity agrees to obtain any consents or authorizations required for Business Associate to use and disclose PHI as provided herein.

 

11.4. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity except as permitted by 45 C.F.R. § 164.504(e).

 

11.5. Covered Entity shall disclose to Business Associate PHI in the form of a Limited Data Set, to the extent practical, or limit the disclosure, release or access to Business Associate the minimum amount of PHI necessary for Business Associate’s performance of the Services.

 

11.6. Covered Entity shall provide reasonable prior notification to Business Associate in writing of any new limitations or restrictions on the use or disclosure of PHI otherwise permitted or required by this BAA with which Business Associate is required to comply. Notwithstanding the foregoing, in the event Business Associate reasonably believes that any such limitation or restriction materially affects Business Associate’s ability to provide the Services or materially increases the cost of providing such Services, the Parties agree to promptly negotiate in good faith an amendment to the Agreement to adjust the Business Associate’s obligations and/or reflect Business Associate’s increased costs before compliance is required.

 

12. TERM AND TERMINATION

 

12.1. This BAA shall become effective as of the Effective Date, and shall continue in effect until termination of the Agreement except as provided in Section 12.3.

 

12.2. Either Party may terminate this BAA and the Agreement if the other Party has materially breached this BAA and the defaulting Party has failed to cure that material breach within thirty (30) business days after written notice from the non-defaulting Party. In the event that the parties agree that cure is not feasible or accomplished after such 30-day period, The non-defaulting Party may terminate this BAA and the Agreement immediately.

 

12.3. Upon termination of the Agreement or this BAA and the Agreement for any reason, Business Associate shall, if feasible, return to Covered Entity or destroy any PHI it holds. If return or destruction of the PHI it’s not feasible, Business Associate shall extend the protections of this BAA to the information for as long as Business Associate retains the information and limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. This Section 12.3 shall survive any termination of this BAA.

 

 

 

 

13. EFFECT OF BAA

 

13.1. This BAA is part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA shall govern.

 

13.2 Except as expressly stated in this Agreement or as provided by law, this BAA shall not create any rights in favor of any third party.

 

14. REGULATORY REFERENCES

 

14.1. A reference in this BAA to a section in HIPAA means the section as in effect or as amended and as of its applicable compliance date.

 

15. Notices

 

15.1. All notices, requests, demands, or other communications to be given under this Agreement to a Party shall be made via first class, registered, certified, or express mail courier to the Party’s address given below, or via email and secure electronic signature software (such as DocuSign):

 

Kindly MD Inc.

Address: 230 W 400 S Suite 201 Salt Lake City, Utah 84101

Attn: Timothy Pickett

Email: ***@***

 

With a copy to:

Kindly MD Inc.

Address: 230 W 400 S Suite 201 Salt Lake City, Utah 84101

Attn: General Counsel

Email: ***@***

 

16. AMENDMENTS; WAIVER

 

16.1. This BAA may not be modified, nor shall any provisions be waived or amended, except in writing duly signed by authorized representatives of the Parties. The Parties agreed to negotiate in good faith to amend this BAA or the Agreement as necessary to comply with any changes in HIPAA. A waiver with respect to one event shall not be construed as continuing, or as a bar to or a waiver of any right or remedy as to subsequent events.

 

17. INDEMNIFICATION

 

17.1. subject to the limitations of liability set forth in Section 8 of the Agreement, each party (“Indemnitor”) hereby agrees to indemnify, defend, and hold harmless the other party, its officers, employees, workforce members, agents and subcontractors (collectively, “Indemnitee”) from and against any and all claims, losses, damages, costs, expenses, liabilities, assessments, judgments, administrative fines or deficiencies of any nature whatsoever, including, without limitation, reasonable attorneys’ fees and other costs and expenses, suits, actions, or proceedings, which may result from, or constitute any Breach of any Unsecured PHI, or breach of contract, representation, warranty, or covenant contained in this BAA to the extent caused by the negligent or willful acts or emissions of the Indemnitor and not caused by the acts or omissions of the Indemnitee. This indemnification provision is applicable only to the obligations under this BAA.

 

 

 

 

IN WITNESS WHEREOF, the Parties have caused this Agreement to be executed by their authorized representatives, effective on the Effective Date.

 

Kindly MD Incorporated    
     
By:   By:  
Name:   Name:  
Title:   Title:  
Date:   Date: